Assurance—evidence that a computer system is secure with respect to a given security policy—is an important theme in secure computing. Assurance would have been indeed possible, if the underlying hardware and software had been shown to be correct as per the intended specifications. However, showing the correctness of hardware/software in totality is impossible. It may be pointed that bugs in an application can enable data stealing. That is why, it is important to assure the absence of information leaks in any application. One of the beginning building blocks towards such an assurance is the first building of a system's Trusted Computing Base (TCB)—realized correctly—through which a complete secure system could be built. For high assurance, the TCB needs to be small and the policy simple. Information flow control (IFC) is one such policy; it specifies how information is allowed to move around in a system and disseminated.
In late 1960s, the US military started the visualization of a “multilevel” computer system wherein information leaks from a user process handling classified data can be either shown to be leak free or at least accountability of the leak can be traced. Of course, it is impractical to require every application program to come from a trusted source; many essential tools are too big and complicated to rebuild, or even to audit. IFC solves this problem by requiring that no action of a secret process can affect the state of an unclassified one.
In 1973, Bell and LaPadula [ref: D. E. Bell and L. J. LaPadula. Secure computer systems: Unified exposition and multics interpretation. In Technical Report ESD-TR-75-306, MTR-2997, MITRE, Bedford, Mass., 1975.] formulated a mathematical framework and a model for IFC to deal with the problems of confidentiality in the context of military computer systems. The model has since been refined and extended with the objective of producing a secure computer system design. From a different perspective, Biba [ref: K. Biba. Integrity considerations for secure computer systems. Tech Report ESDTR-76-372, MITRE, Mass, 1976.] developed integrity policies for addressing the problems of improper data modification posed by secure military computer utility.
In 1976, Denning [ref.: D. E. Denning A lattice model of secure information flow. Comm ACM, 19(5):236-243, 1976.] derived a lattice model of secure information flow that permits concise formulations of the security requirements of several existing systems and facilitates construction of mechanisms that enforce security. Further, the model provides a unifying view of all systems that restrict information flow including BLP and Biba.
In Denning's model, each subject and object is assigned a security class/label, and permissible information flows are defined by a binary relation on security classes. When a subject i.e. the active entities whose actions cause information to flow requests an operation to be performed on an object i.e. the passive entities containing information, it is granted only if the resulting information flow satisfies the permissible flow relation. The flow rule is good because it composes: if each step obeys the rule, the whole computation does so. Hence the label on every data item is at least the maximum of the labels on everything that affected it; the rule is end to end. It is certainly simple, and assurance is just evidence that each step obeys it.
The work of Myers and Liskov [ref.: A. C. Myers and B. Liskov. A decentralized model for information flow control. In SOSP '97, pages 129-142, New York, N.Y., USA.] (DIFC) in 1997, revived the field by deriving a decentralized label model that allows subjects to create their own labels for controlling the flow of their data. DIFC became popular due to the decentralized nature of flow control and led to the development of several systems for realizing secure programming systems (Jflow, FlowCaml etc.), operating systems (Asbestos, HiStar, Flume, Laminar etc.) and distributed systems (Fabric, DStar, Airavat etc.).
In the early 1980s research on information flow led to the Trusted Computer System Evaluation Criteria (“Orange Book”) [ref.: Department of Defense Standard—5200.28-STD. Trusted Computer System Evaluation Criteria. December 1985], which defines the security of a computer system by how well it implements flow control and how good its assurance is. Despite a lot of effort being invested in developing systems satisfying these criteria, they all had the following problems: large TCB, slow, not easy to use, and very limited functionality.
Myers' label system called DLM [ref.: A. C. Myers and B. Liskov. Protecting privacy using the decentralized label model. ACM Trans. Softw. Eng. Methodol. 9(4):410-442, Oct. 2000.] includes only readers for protecting confidentiality and only writers for protecting integrity. However, it is important to note that for a proper tracking of any information flow property, it is important to control both reading and writing by subjects. Stefan et al. introduced a label system referred to as DC labels [ref.: D. Stefan, A. Russo, D. Mazi'eres, and J. C. Mitchell. Disjunction category labels. In Proceedings of the 16th Nordic Conference on NordSec, pages 223-239, Berlin, Heidelberg, 2012. Springer-Verlag] that incorporate both readers and writers. But it must be noted that it is not easy to derive DC labels for modelling a given requirement. Moreover, their support for discretionary controls is orthogonal to the IFC and thus defeats the purpose of the mandatory controls.
Butler Lampson—a Distinguished Computer Scientist, in a recent technical perspective [B. Lampson. Making untrusted code useful: technical perspective. CACM, Vol. 54 No. 11, Page 92, November 2011.] on HiStar says “This is the latest step in the long and frustrating journey toward secure computing. It is a convincing solution for some serious practical problems. The general-purpose computing that failed in the 1980s has not been tried”.